General
Target

f69a9cd55b6d88040a40f092ae962eccad79c773afb156eeec5919fd11ca7174.exe

Filesize

772KB

Completed

15-02-2022 04:43

Task

behavioral1

Score
10/10
MD5

9e8388274066861ecf159c212e153ec1

SHA1

6ba52b3cca249625bce6de2fdf98002b7f476cde

SHA256

f69a9cd55b6d88040a40f092ae962eccad79c773afb156eeec5919fd11ca7174

SHA512

33a2a84cde6543aa464f4439d7db57e7debe6c87b7537b2b349da843b015b99cbd1d5dc70b347a6e8fcfa000652669cabc2e539748a5e127fdea72673915618c

Malware Config

Extracted

Family

vidar

Version

47.9

Botnet

937

C2

https://mas.to/@kirpich

Attributes
profile_id
937
Signatures 7

Filter: none

  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

  • Vidar Stealer

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/964-57-0x0000000002100000-0x00000000021D6000-memory.dmpfamily_vidar
    behavioral1/memory/964-58-0x0000000000400000-0x00000000004D9000-memory.dmpfamily_vidar
  • Program crash
    WerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    1812964WerFault.exef69a9cd55b6d88040a40f092ae962eccad79c773afb156eeec5919fd11ca7174.exe
  • Suspicious behavior: EnumeratesProcesses
    WerFault.exe

    Reported IOCs

    pidprocess
    1812WerFault.exe
    1812WerFault.exe
    1812WerFault.exe
    1812WerFault.exe
    1812WerFault.exe
  • Suspicious behavior: GetForegroundWindowSpam
    WerFault.exe

    Reported IOCs

    pidprocess
    1812WerFault.exe
  • Suspicious use of AdjustPrivilegeToken
    WerFault.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1812WerFault.exe
  • Suspicious use of WriteProcessMemory
    f69a9cd55b6d88040a40f092ae962eccad79c773afb156eeec5919fd11ca7174.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 964 wrote to memory of 1812964f69a9cd55b6d88040a40f092ae962eccad79c773afb156eeec5919fd11ca7174.exeWerFault.exe
    PID 964 wrote to memory of 1812964f69a9cd55b6d88040a40f092ae962eccad79c773afb156eeec5919fd11ca7174.exeWerFault.exe
    PID 964 wrote to memory of 1812964f69a9cd55b6d88040a40f092ae962eccad79c773afb156eeec5919fd11ca7174.exeWerFault.exe
    PID 964 wrote to memory of 1812964f69a9cd55b6d88040a40f092ae962eccad79c773afb156eeec5919fd11ca7174.exeWerFault.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\f69a9cd55b6d88040a40f092ae962eccad79c773afb156eeec5919fd11ca7174.exe
    "C:\Users\Admin\AppData\Local\Temp\f69a9cd55b6d88040a40f092ae962eccad79c773afb156eeec5919fd11ca7174.exe"
    Suspicious use of WriteProcessMemory
    PID:964
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1304
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:1812
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/964-54-0x00000000002ED000-0x000000000036A000-memory.dmp

                          • memory/964-55-0x0000000075D61000-0x0000000075D63000-memory.dmp

                          • memory/964-56-0x00000000002ED000-0x000000000036A000-memory.dmp

                          • memory/964-57-0x0000000002100000-0x00000000021D6000-memory.dmp

                          • memory/964-58-0x0000000000400000-0x00000000004D9000-memory.dmp

                          • memory/1812-59-0x00000000006D0000-0x00000000006D1000-memory.dmp